Intune Service Release 2109

App management

New app categories available to better target app protection policies

We have improved the UX of Microsoft Endpoint Manager by creating categories of apps that you can use to more easily and quickly target app protection policies. These categories are All public apps, Microsoft apps, and Core Microsoft apps. After you have create

d the targeted app protection policy, you can select View a list of the apps that will be targeted to view a list of the apps that will be affected by this policy. As new apps are supported, we will dynamically update these categories to include those apps as appropriate, and your policies will be automatically applied to all apps in your selected category. If needed, you can continue to target policies for individual apps as well. For more information, see How to create and assign app protection policies and Create and deploy Windows Information Protection (WIP) policy with Intune.

Device configuration

New iOS device restriction settings for built-in apps, doc viewing

There are two new device restriction settings you can configure on iOS devices (Devices > iOS/iPadOS > Configuration profiles > Create profile and select Device restrictions for profile) in Intune.

• Block Siri for translation (Built-in Apps): Disables the connection to Siri servers so that users can't use Siri to translate text. Applies to iOS and iPadOS versions 15 and later.
• Allow copy/paste to be affected by managed open-in (App Store, Doc Viewing, Gaming): Enforces copy/paste restrictions based on how you configured Block viewing corporate documents in unmanaged apps and Block viewing non-corporate documents in corporate apps.

For more information about iOS device restriction profiles in Intune, see iOS and iPadOS device settings to allow or restrict features using Intune.

New macOS device restriction setting blocks users from erasing all content and settings on device

There's a new macOS device restriction setting available (Devices > macOS > Configuration profiles > Create profile > and then select Templates > Device restrictions for profile) in Intune.

Block users from erasing all content and settings on device (General): Disables the reset option on supervised devices so that users can't reset their device to factory settings.

For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune.

Applies to:

• macOS version 12 and later

New software update restriction settings for macOS

There are five new software update settings available when configuring a macOS device restriction profile (Devices > macOS > Configuration profiles > Create profile > and then select Templates > Device restrictions for profile) in Intune.

• Defer software updates (General): Prevents users from seeing certain types of newly released updates until after a deferral period. Deferring software updates doesn't stop or change scheduled updates. Types of software updates you can defer include: Major OS software updates, Minor OS software updates, Non-OS software updates, or any combination of the three.
• Delay default visibility of software updates (General): Defers the default visibility of all software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 10.13.4 and later.
• Delay visibility of major OS software updates (General): Delays visibility of major OS software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.3 and later.
• Delay visibility of minor OS software updates (General): Delays visibility of minor OS software updates for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.3 and later.
• Delay visibility of non OS software updates (General): Delays visibility of non-OS software updates (such as Safari updates) for up to 90 days. After the deferral period, updates will become available to users. This value takes precedence over the default visibility value. Applies to macOS, version 11.0 and later.

For more information about macOS device restriction profiles in Intune, see macOS device settings to allow or restrict features using Intune.

New device restriction setting for Android Enterprise: Developer settings

There is a new device restriction setting for Android Enterprise devices (Devices > Android Enterprise > Configuration profiles > Create profile and select Device restrictions for profile) in Intune.

• Developer settings: When set to Allow, users can access the developer settings on their devices. By default, it's set to Not configured. Applies to fully managed, dedicated, and corporate-owned work profile devices.

For more information about Android Enterprise device restriction profiles, see Android Enterprise device settings to allow or restrict features using Intune.

New device restrictions setting prevents sharing work profile contacts with paired Bluetooth devices

A new device restrictions setting for corporate-owned work profile devices prevents users from sharing their work profile contacts with paired Bluetooth devices, such as cars or mobile devices. To configure the setting, go to Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device restrictions for profile.

• Setting name: Contact sharing via Bluetooth (work profile-level)
• Setting toggles:
• Block: Blocks users from sharing work profile contacts via Bluetooth.
• Not configured: Doesn't enforce any restrictions on the device, so users might be able to share their work profile contacts via Bluetooth.

Device management

Intune now supports iOS/iPadOS 13 and higher

Microsoft Intune, including the Intune Company Portal and Intune app protection policies now requires iOS/iPadOS 13 and higher.

Intune now supports macOS 10.15 and later

Intune enrollment and the Company Portal now supports macOS 10.15 and later. Older versions are not supported.

New Android device filtering options

You can now choose the following Android enrollment types when filtering by OS in the All devices list in Intune:

• Android (personally-owned work profile)
• Android (corporate-owned work profile)
• Android (fully managed)
• Android (dedicated)
• Android (device administrator)

In Microsoft Endpoint Manager admin center, select Devices > All devices and view the OS column for specific Android enrollment types. For more information about Android enrollment types, see Intune reports.

Settings catalog policies for policy sets

In addition to profiles based on templates, you can add a profile based on the Settings catalog to your policy sets. The Settings catalog is a list of all the settings you can configure. To create a policy set in Microsoft Endpoint Manager admin center, select Devices > Policy sets > Policy sets > Create. For more information, see Use policy sets to group collections of management objectsand Use the settings catalog to configure settings on Windows and macOS devices - preview.

Configure Managed Home Screen sign-in settings for Android Enterprise dedicated devices

You can now configure Managed Home Screen sign-in settings in device configuration when using Android Enterprise dedicated devices enrolled using Azure AD Shared device mode. You no longer need to use app configuration for these settings. For related information, see Configure the Microsoft Managed Home Screen app for Android Enterprise.

Use Feature Updates to upgrade devices to Windows 11

You can use Feature updates for Windows 10 and later policy to upgrade devices that meet the Windows 11 minimum requirements to Windows 11. It's as easy as configuring a new feature updates policy that specifies the available Windows 11 version as the feature update you want to deploy.

Use the Collect diagnostics remote action as a bulk device action for Windows devices

We’ve added the Collect diagnostics remote action as a Bulk device action that you can run for Windows devices. As a bulk device action for Windows devices, use Collect diagnostics to collect Windows device logs from up to 25 devices at a time without interrupting device users.

Support for Locate device remote action on Android Enterprise dedicated devices

You can use the Locate device remote action to get the current location of a lost or stolen Android Enterprise dedicated device that is online. If you attempt to locate a device that’s currently off-line, you’ll see it’s last known location instead, so long as that device was able to check-in with Intune within the last seven days.

For more information, see Locate lost or stolen devices.

Android Enterprise dedicated devices support the Rename remote action

You can now use the Rename remote action on Android Enterprise dedicated devices. You can rename devices individually and in bulk. When using bulk Rename actions, the device name must include a variable that adds either a random number or the device's serial number.

For more information, see Rename a device in Intune

New Azure AD device ID and Intune device ID search parameters added

When searching devices in Devices > All devices, you can now search by Azure AD device ID or Intune Device ID. For a list of available device details available in Intune, see View device details with Microsoft Intune.

Device security

Tenant attach: Device status for endpoint security policies

You can review the status of endpoint security policies for tenant attached devices. The Device Status page can be accessed for all endpoint security policy types for tenant-attached clients. For more information, see Device status for the endpoint security policy types.

Attack surface reduction profiles for Configuration Manager tenant attach

We’ve added two endpoint security profiles for attack surface reduction policy that you can use with devices you manage with Configuration Manager tenant attach. These profiles are in preview and manage the same settings as the similarly named profiles you use for devices managed by Intune. You'll find these new profiles when you configure attack surface reduction policy for the Windows 10 and later (ConfigMgr) platform.

The new profiles for tenant attach:

• Exploit Protection(ConfigMgr)(preview) - Exploit protection helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
• Web Protection (ConfigMgr)(preview) - Web protection in Microsoft Defender for Endpoint uses network protection to secure your machines against web threats. Web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your custom indicator list.

Expanded support for Windows Defender Security Center for tenant attach devices

We’ve updated the Windows Security experience (preview) profile in endpoint security Antivirus policy to support additional settings for devices you manage with Configuration Manager tenant attach.

Previously, this profile was limited to Tamper Protection for your tenant attached devices. The updated profile now includes settings for the Windows Defender Security Center. You can use these new settings to manage the same details for tenant attached devices that you already manage with the similarly named profile for Intune managed devices.

For more information about this profile, see Endpoint security Antivirus policy.

Intune apps

Notifications from the iOS/iPadOS Company Portal app

Notifications from the iOS/iPadOS Company Portal app are now delivered to devices using the default Apple sound, rather than being delivered silently. To turn the notification sound off from the iOS/iPadOS Company Portal app, select Settings > Notifications> Comp Portal and select the Sound toggle. For related information, see Company Portal app notifications.

Monitor and troubleshoot

Organizational report focused on device configuration

We have released a new Device configuration organizational report. This report replaces the existing Assignment status report found in the Microsoft Endpoint Manager admin center under Devices > Monitor. The Device configuration report allows you to generate a list of profiles in the tenant that have devices in a state of success, error, conflict, or not applicable. You can use filters for the profile type, OS, and state. The returned results will provide search, sort, filter, pagination, and export capabilities. In addition to device configuration details, this report provides resource access details, and new settings catalog profile details. For related information, see Intune Reports.

Updated support experience in Microsoft Endpoint Manager admin center

Available for Intune and co-management support flows, we’ve updated an improved support experience in the Microsoft Endpoint Manager admin center. The new experience guides you to issue-specific troubleshooting insights and web-based solutions, to get you a resolution faster.

To learn more about this change, see the our support blog post.

Safeguard holds are now visible in the Feature update failures report

When a device is blocked form installing a Windows update due to a safeguard hold, you’ll now be able to view details about that hold in Feature update failures report in the Microsoft Endpoint Manager admin center.

A device with a safeguard hold appears as a device with an error in the report. When you view details for such a device, the Alert Message column displays Safeguard Hold, and the Deployment Error Code column displays the ID of the safeguard hold.

Microsoft occasionally places safeguard holds to block installation of an update on a device when something detected on that device is known to result in a poor post-update experience. For example, software or drivers are common reasons to place a safeguard hold. The hold remains in place until the underlying issue is resolved, and the update is safe to install.

To learn more about active safeguard holds and expectations for their resolution, go to the Windows release health dashboard at https://aka.ms/WindowsReleaseHealth.

Update to the Assignment failures operational report

Security baselines and endpoint security profiles have been added to the existing Assignment failures report. The profile types are differentiated using the Policy type column with the ability to filter. Role-based access control (RBAC) permissions have been applied to the report to filter on the set of policies that an admin can see. Those RBAC permissions include the Security Baseline permission, the Device Configuration permission, and the Device Compliance Policies permission. The report shows the number of devices in a state of error and conflict for a given profile, with the ability to drill down into a detailed list of those devices or users and further into the setting details. You can find the Assignment failures report in Microsoft Endpoint Manager admin center by selecting Devices> Monitor, or by selecting Endpoint Security > Monitor. For more information, see Assignment failures report (Operational).